Apple Releases iOS 8, Patching Numerous Security Flaws

Apple has finally released iOS 8, the newest version of the mobile operating system that runs on the iPhone, iPad, and iPod touch. While a number of new features have been added, Apple has patched over 40 security flaws from their past iOS 7.

Users can grab the new iOS 8 update over-the-air by navigating to Settings > General > Software Update via the mobile device. Otherwise, users can download the update directly to their computer and update the device from the latest version of iTunes.

Apple has said iOS 8 is the biggest update to the software since the company launched the App Store back in 2008, aside from security patches, there are hundreds of new features packed in the latest update.

Vulnerabilities Patched in iOS 8

Among the number of vulnerabilities fixed in iOS 8 are a series of kernel flaws, several WebKit bugs and a pair of vulnerabilities that allow users to install apps found outside the App Store. Security researchers have stated the most interesting flaw patches is a problem with the way iOS implemented 802.1x. The flaw could allow an attacker to steal users WiFi credentials stored on the device.

“An attacker could have impersonated a WiFi access point, offered to authenticate with LEAP, broken the MS-CHAPv1 hash, and used the derived credentials to authenticate to the intended access point even if that access point supported stronger authentication methods. This issue was addressed by disabling LEAP by default,” the Apple advisory sayid.

As referred to above, LEAP (lightweight extensible authentication protocol) is an older authentication protocol developed by Cisco and used for authentication on wireless networks. The LEAP protocol has been known for a number of weaknesses and is found susceptible to offline password cracking. Apple will disable LEAP by default when devices upgrade to iOS 8.

Apple also patched two app-installed vulnerabilities, which can be credited to the evad3ers team, the well known team of crackers most prominently known for jailbreaking iPhones. One of the patched bugs is a race condition and the other patched vulnerability is a patch traversal issue, both could allow a local attacker to install unverified applications onto the device. This means the applications did not derive from the App Store, the devices only marketplace.

“A path traversal issue existed in App Installation. A local attacker could have retargeted code signature validation to a bundle different from the one being installed and cause installation of an unverified app. This issue was addressed by detecting and preventing path traversal when determining which code signature to verify,” the Apple advisory says.

Other issues patched consisted of a lasting issue that caused Bluetooth to be enabled by default whenever iOS was updated. iOS 8 also patched an integer overflow flaw in CoreGraphics that could lead to remote code execution. Another patch fixed a vulnerability that enabled a malicious application to bypass kernel ASLR, a key exploit mitigations in iOS.

Two issues in IOHIDFamily were also patched, both which could lead to code execution.

Lastly, Apple patched various vulnerabilities in Safari and WebKit. Flaws patched in WebKit were 12 memory corruption issues. One Safari flaw enabled attackers with a privileged network position (user on the same network) to intercept user credentials.

New Features in iOS 8

Moving away from vulnerabilities and security for a moment, iOS 8 brings tons of new features that will overall, alter the functionality of Apple devices. Apple has introduced its new application HealthKit, which is a fitness application that users can tie other third-party fitness applications into to get information about their health. Family Sharing has also been introduced, meaning users can now share iTunes purchases, calender information, messages in groups, in app purchases and more across up to six devices. Meaning users will not have to purchase the same items or add separate calender dates across devices, it can now be downloaded for free and automatically synced.

Apple has also introduced an improved notification center widget, spotlight search functions, the ability to install third-party keyboards among other features. As iOS 8 is such a huge improvement, applications will start to implement iOS 8 specific features changing the way users interact with applications.

While the new features and enhanced security are great, the update requires a massive 5.7GB of free space on the iPhone, and 6.9GB on the iPad. Due to Apples limited storage, users may have to delete a large number of applications if their device is already full.